More than 7 million people are victims of identity theft each yearor nearly 20,000 thefts a dayaccording to Gartner Research and Harris Interactive. Many thefts occur because of casual mistakes in the offline world: handing a credit card to the wrong person or scribbling your Social Security number on a sheet of paper someone can find. But many more are facilitated by the Internet, which still has a long way to go when it comes to protecting our privacy.

Identity pirates can gather all sorts of confidential information about you by prowling the Web. With a little more ingenuity, they can hack into your online accountsmining credit card numbers, addresses, and telephone numbers. And if you let your guard down, they can use underhanded techniques like phishing and pharming to fool you into giving them information. Social engineers con many people into giving out sensitive data simply by asking for it.

Think you've taken the necessary precautions? Think again. Virgil Griffith, a researcher at Indiana University, recently found a hole in the system that affects us all. Most Web sites provide a way to access password-protected accounts when you've forgotten your password. When you sign up for an account, the site typically asks you to fill in the answer to a common question, such as "What's your mother's maiden name?" or "What street did you grow up on?" If you forget your password, the site grants you access when you answer this question.

Unfortunately, by trolling free public records in Texas, Griffith proved that anyone could track down mothers' maiden names for more than a quarter of the state's population.

"Two servers or even two different Web sites can work together to verify information like this, but without either one of them knowing enough to answer or find out the answers themselves," says Dr. Burt Kaliski, chief scientist for RSA Labs. Even if someone hacks the servers, they can't access your information.

Others are working to provide stronger authentication via hardware devices. Charles Palmer, head of security and privacy at IBM Research, believes many online privacy woes can be solved by leveraging a security chip like the Trusted Platform Module, an IBM-developed device now championed by several industry players. This kind of chip encrypts files and passwords, making them readable only on your computer.

Of course, you must also make sure that no one else can log on to your PC. That's where biometric authentication comes in. Fingerprint readers capable of verifying your identity are already available for desktops and laptops. Companies like Compaq, DigitalPersona, Ethentica, Identix, and Sony offer devices that attach via USB cable, and several IBM laptops actually come with integrated readers. Other companies, including such names as Iridian Technologies and Visage, are offering retinal scanning and facial-recognition tools.

A4Vision's facial-recognition technology can even verify your identity continually. Projecting a light through a filter, the system creates a virtual grid roughly four feet in width. As you step into this grid, it distorts to follow the topology of your face. A camera then measures the distance to your face at each point within the grid. These measurements are unique, and when you step in front of the camera once again, the system is able to identify you.

"We've used it in highly secure areas where companies want to know who is behind a workstation at all times," says CEO Grant Evans. "Our system can observe the person and give positive identification 14 or 15 times a second."

You could even use biometrics to verify your identity with a third party. The trouble is that when you use traditional biometrics, there's always the danger that someone will hack into a machine where your fingerprint, retinal, or facial information is stored. Recognizing this problem, researchers at the Stevens Institute of Technology, Johns Hopkins University, Carnegie Mellon, and Florida State are working on a biometrics system that can operate withoutstoring your physical data.

The system would use your typing or voice patterns to store a code across two different tables of information. "Simply by typing on your keyboard, you could unlock the code," says Susanne Wetzel, a Stevens Institute researcher, "but to an attacker, the tables would look like random pieces of information."

This only begins to describe the vast arsenal of authentication and privacy projects under way at universities and in corporate research labs. In the years to come, identity theft will present a much tougher challenge to would-be thieves.